December 12, 2023

Last Updated on January 17, 2024

Policies are a core element of an ISO 27001 information security management system (ISMS). You need to have all the relevant policies in place to achieve an ISO 27001 certification and maintain compliance with the standard.

This article tells you what is most important to know about policies in ISO 27001, including what policies are required and why they are so important to your information security program.


What are policies in information security?

Information security policies describe how your information security program works. Important uses for information security policies include:

  • Defining your employees’ responsibilities and tasks to support the information security program
  • Demonstrating to customers and prospects that you have a robust information security program
  • Showing internal and external auditors how you have implemented your ISMS controls
  • Helping your senior management understand what to expect from your information security program, and how it aligns with business goals


ISO 27001 emphasizes transparency around information security. Policies are an important vector for communication about your ISMS both internally and externally.

A common misconception is that ISO 27001 places an onerous policy burden on organizations. In fact, your ISO 27001 policies don’t have to be long or overly detailed. Instead, they should be readable, usable, and manageable. Policies are intended to be “living documents” that guide your security program forward, not something that is only used at audit time.

While it is possible to create one massive policy document to cover your entire ISMS, it makes a lot more sense to break your policies, plans, and other documents up into practical pieces that are easier to manage and track, share with stakeholders, and assign to suitable owners.

In general, policy documents address the “why” and “what” of your ISMS, while procedures and practices specify the “how.”


Why are ISO 27001 policies important?

Policies have a reputation for being a layer of administrative control with little practical value. In ISO 27001, however, policies are an essential control category that defines what your business does to keep sensitive data secure.

Some of the reasons ISO 27001 policies are important for organizations include:

  • Supporting compliance.
    ISMS policies not only help you demonstrate and maintain compliance with ISO 27001, but also other information security standards you may be subject to, such as HIPAA, Sarbanes-Oxley (SOX) and PCI-DSS.
  • Directing technical controls implementation.
    ISMS policies describe the goals, intentions, and expectations of the business for the information security program. This gives security and IT practitioners essential guidance for implementing and enhancing technical controls.
  • Improving operational efficiency.
    Well-written policies give information security stakeholders a common view and starting point for understanding the information security program. They also provide an essential operational reference to clarify and guide information security program activities. Further, they help eliminate guesswork and inconsistent practices by documenting rules for policy exceptions.
  • Setting expectations.
    ISO 27001 policies clarify management and operational rules and expectations so that employees don’t have to rely on their individual judgement when making decisions. For example, when is it OK to share passwords? Is there a list of approved software? Can employees access company systems over unprotected public wi-fi networks? Policies can take the guesswork out of answering these kinds of questions.

Because they are a type of information security control within your ISMS, your ISO 27001 policies should be custom-fit to your business, not copied from an online template.


What is an ISO 27001 information security policy?

At the center of all your ISO 27001 documentation is your information security policy. This mandatory document should describe your management’s commitment to information security and maintaining your ISMS, along with the business objectives for your information security program. It should also outline your other ISMS policy documents and their respective scopes.

Rather than laboriously documenting the myriad details of your information security program, an ISO 27001 information security policy is recommended to cover:

  • Your company’s specific objectives for information security
  • Management’s commitment to implement and continuously improve your ISO 27001 compliant ISMS
  • Stakeholders for the document and how they can access it
  • A breakdown of the regulatory, contractual, and/or legal requirements your ISMS needs to meet
  • An overview of your process for selecting technical controls
  • Employee or third-party responsibilities and accountability for establishing, maintaining, monitoring, and reporting on ISMS performance

Besides defining what senior leaders expect from your ISMS, an ISO 27001 information security policy should also give executives—most of whom are not information security experts—a handy reference to direct the information security program.

In other words, your ISO 27001 information security policy connects your C-suite to your ISMS activities. This helps ensure that your information security program stays aligned with business goals.

What policies does ISO 27001 require?

ISO 27001 provides guidance on information security policies in its Annex A.5, “Policies for Information Security.”

The key point of Annex A.5 is that organizations must have an information security policy document. The purpose of this document is to drive the information security program. It must be approved by senior management and regularly reviewed and updated to track changes in your environment.

The information security policy is the only policy document that ISO 27001 makes mandatory. However, there are numerous specific things that the standard requires you to document. Many of these could end up in a policy or plan document.

For example, the standard requires you to document your risk management approach. This could become part of a risk management policy.

Some other policies that ISO 27001 compliant organizations often choose to document based on their risks and stakeholder requirements include:

  • Asset management policy
  • Change management policy
  • Remote working policy
  • Data protection/privacy policy
  • Data retention policy
  • Information security awareness and training policy


What’s next?

Organizations seeking ISO 27001 certification face several common challenges with writing policies. One is understanding what the standard requires them to document. Many firms over-document their policies or reference the same policies in multiple documents.

Another challenge is aligning what policies describe with what people actually do to operate the ISMS. When policies do not effectively communicate ISMS activities, information security inevitably suffers—even to the point of impacting ISO 27001 compliance and audit results.

If your business is moving towards ISO 27001 certification and you would benefit from expert guidance on how to structure your information security policy and related documents and what to include in them, contact Pivot Point Security.